add more security groups cause of limits (#9262)

* add more security groups cause of limits * change fix to follow ncr approach
ministryofjustice · Jan 8, 2025 · 16efa02 · 16efa02
1 parent 9cf7bde
commit 16efa02
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 10 deletions.
diff --git a/terraform/environments/oasys-national-reporting/locals_lbs.tf b/terraform/environments/oasys-national-reporting/locals_lbs.tf
@@ -10,7 +10,7 @@ locals {
       force_destroy_bucket             = true
       internal_lb                      = false
       load_balancer_type               = "application"
-      security_groups                  = ["public-lb"]
+      security_groups                  = ["public-lb", "public-lb-2"]
       subnets                          = module.environment.subnets["public"].ids
 
       listeners = {

diff --git a/terraform/environments/oasys-national-reporting/locals_security_groups.tf b/terraform/environments/oasys-national-reporting/locals_security_groups.tf
@@ -6,8 +6,10 @@ locals {
     enduserclient_internal = flatten([
       "10.0.0.0/8",
     ])
-    enduserclient_public = flatten([
-      module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
+    enduserclient_public1 = flatten([
+      module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
+    ])
+    enduserclient_public2 = flatten([
       module.ip_addresses.azure_fixngo_cidrs.internet_egress,
       module.ip_addresses.mp_cidrs.live_eu_west_nat,
     ])
@@ -28,8 +30,10 @@ locals {
     enduserclient_internal = [
       "10.0.0.0/8"
     ]
-    enduserclient_public = flatten([
-      module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public,
+    enduserclient_public1 = flatten([
+      module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public
+    ])
+    enduserclient_public2 = flatten([
       module.ip_addresses.azure_fixngo_cidrs.internet_egress,
       module.ip_addresses.mp_cidrs.live_eu_west_nat,
     ])
@@ -63,19 +67,19 @@ locals {
           protocol    = -1
           self        = true
         }
-        http_lb = {
+        http = {
           description = "Allow http ingress"
           from_port   = 80
           to_port     = 80
           protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public
+          cidr_blocks = local.security_group_cidrs.enduserclient_public1
         }
-        https_lb = {
-          description = "Allow enduserclient https ingress"
+        https = {
+          description = "Allow https ingress"
           from_port   = 443
           to_port     = 443
           protocol    = "TCP"
-          cidr_blocks = local.security_group_cidrs.enduserclient_public
+          cidr_blocks = local.security_group_cidrs.enduserclient_public1
         }
       }
       egress = {
@@ -88,6 +92,42 @@ locals {
         }
       }
     }
+    public-lb-2 = {
+      description = "Security group for public load balancer part 2"
+      ingress = {
+        all-within-subnet = {
+          description = "Allow all ingress to self"
+          from_port   = 0
+          to_port     = 0
+          protocol    = -1
+          self        = true
+        }
+        http = {
+          description = "Allow http ingress"
+          from_port   = 80
+          to_port     = 80
+          protocol    = "tcp"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public2
+        }
+        https = {
+          description = "Allow https ingress"
+          from_port   = 443
+          to_port     = 443
+          protocol    = "tcp"
+          cidr_blocks = local.security_group_cidrs.enduserclient_public2
+        }
+      }
+      egress = {
+        all = {
+          description     = "Allow all egress"
+          from_port       = 0
+          to_port         = 0
+          protocol        = "-1"
+          cidr_blocks     = ["0.0.0.0/0"]
+          security_groups = []
+        }
+      }
+    }
     lb = {
       description = "Security group for public subnet"
       ingress = {